handout Cybersecurity ready · 2017. 10. 23. · Secure your data by making backups in the time your data are not stolen, lost, hacked or changed by a criminal. Or lets take a typical

Cybersecurity Best Practices for Local Government

IMLA-‐Conference, 10/16/17, Niagara Falls, Can.

Best – Practice – Checklist

for your work, for your government, for your office, for you

Handout by (*): Benjamin E. Griffith Sven Kohlmeier Griffith Law Firm Kohlmeier Law Firm (*) for more information about the speaker see last page

Best – Practice – Checklist

o ✔ check here what you already did ê o 1. risk analysis

o 2. backups

o 3. staff training

o 4. vulnerability scanning and patching

o 5. updating and patching product servers

o 6. application whitelisting

o 7. incident response

o 8. business continuity

o 9. restriction administration privileges

o 10. network segmentation and segregation into

security zones

o 11. input validation

o 12. file reputation

o 13. understand and using firewalls

o 14. penetration testing

Best – Practice – Step-‐by-‐step

✔ 1. Risk analysis The first step in this grass-roots approach of the cyber security fight is the

recognition of the importance of cyber-security by local leaders to include mayors

and town councils, chambers of commerce, school boards and civic groups. Such

leadership has the ability to raise awareness of cyber-security among their

respective constituencies.

Asking yourself some questions and give an honest answer: Do you feel well

prepared against cyber attacks on your personal or office device? Are you well

trained to identify unsecure emails, programs or computer devices? Who in your

company or government is the “Chief Information Security Officer“?

Risk analysis is the description of the complete process to identify, evaluate and

score the risk and last but not least fix the risk. The steps for a risk analysis are

• risk identification

• risk analysis

• risk evaluation

Depending on the size of the office, importance for the local or state people,

importance for city or national security pp the level of fixing the risk could be

different: software update, new acquisition of it infrastructure, moving in a new

building.

If you need help with your risk analysis use a specialist or specialized company.

Or ask similar local authorities about their risk analysis. In some states or

countries it could be required by law or in house/company-rules to made and

written down a risk analysis.


✔ 2. Backups

Secure your data by making backups in the time your data are not stolen, lost,

hacked or changed by a criminal. Or lets take a typical example: your cup of

coffee tip over the device, unwillingly or willingly (happened!) you destroy your

device by kicking it by foot. Or an employee become ill and you need his/her data

to work on a project.

Make the backup and recovery plan as good as the government can afford, since

a cyber attacker with the time and desire will gain access one way or another.

With a backup and recovery plan you will have the main guideline for your data

backup. Make sure that the backup device is secure located or secure treasured.

The backup media should be located on a different place than the original data

(e.g. in case of fire, burglary). If you are using a cloud solution to backup your

data read the terms and conditions carefully. Some cloud solution scan the data

for commercial purposes or will give the data to third parties (government,

investigation). Some terms and conditions also contain provisions concerning the

place of jurisdiction, which is often where the cloud provider is based. If you are

working with sensitive data you have to encrypt the backup data.

In the fist step it doesn’t count how often you backup your data (every hour, every

day, every two days). It really counts that you backup your data and having a

professional backup plan.

Ask your IT-department or IT-service for a backup plan. Specialized IT-company,

data protection officer will support you for a perfect backup plan.


✔ 3. Staff training

Training, training, training!! Implement an employee cyber security training

program. Realize that it is not a matter of whether, but when, a cyber-attack or

security breach will occur; be prepared through training. Cyber Hackers usually

hit the easiest targets first, much like thieves operating in a neighborhood during

the holidays. A common breach can occur after a user clicks on a link in a spam

or phishing email, and whether such an attack is financially motivated, or an

attempt to cause mayhem in the city, or an act of revenge by a terminated city

employee, it must be confronted and effectively mitigated. Conclusion: Training,

training, training.

Use conferences like IMLA for you training and expertise update. Questions the

human resources department on whether it can help support a security

awareness-training program. Or ask us for training you, your local authorities,

your staff.


✔ 4. Vulnerability scanning and patching

Conduct regular penetration tests and vulnerability scans of infrastructure. The

increased vulnerability that comes with this increased technology raises security

concerns about Advanced Persistent Threat (APT), which are targeted attacks

executed by a hacker or group of hackers, perhaps using malware, in which the

attackers are motivated not by financial gain so much as by political gain or

“hacktivism.” The Smart London Initiative is the focal point of an analysis cited

above, Poul Nielsen, Smart City Security and Cyber Attacks, Feb. 25, 2016,

http://www.informationsecuritybuzz.com/articles/smart-city-security-and-cyber-

attacks/, in which a troubling scenario is outlined for a city of over 8.5 million

people in which a critical service is attacked and many operations dependent on

that service malfunction or shut down.

The cause of vulnerability is diverse: the concept or configuration of an IT-product

(software, hardware), how many people using the product, which person has

which user rights.

This points to the need for authorities to develop and implement solutions to

monitor their IT infrastructure and end-user endpoints, the weakest link in the IT

security chain with the greatest vulnerability.

Specialized IT-companies will find all your vulnerability. If you hire a former

hacker he/she will find your vulnerabilities fore sure. And train your staff (see

above).


✔ 5. Updating and patching product servers

Don’t work with Windows XP any more in you authority or office, like the capital of

German, Berlin, did till 2015.

Security updates and patches from your software producer must be installed.

Before installing a update you should make a backup (see above No. 2). If you

are updating your device or infrastructure be sure that the download source is an

official one or from a official website of your software product.

Most software automatically inform or ask your for updating or patching your

software. Trust them or ask your IT department to never miss a security update.

✔ 6. Application whitelisting

On a higher level of protection with an application whitelisting you control which

user could start programs. With an application whitelisting you also control in

which directory users could be working or starting programs.

The application whitelisting should be installed and controlled by the IT-

department.


✔ 7. Incident response

Security incidents must be determined and evaluated fast and effective to prevent

future security breaches or damages. For that reason you need a given and

proofed procedure to deal with security incidents. Therefore you establish a so

called “Security Incident Response” or “Security Incident Handling”.

Implement measures for detecting compromises and develop a cyber security

incident response plan that includes such measures at intrusion detection

systems (IDSs) and intrusion prevention systems (IPSs), antivirus software and

logs to help detect compromises in their earliest stages.

✔ 8. Business continuity

Business Continuity Management (BCM) means all organizational, technical and

personal measure to continue the „main business“ of the authority or company

after a security breach or incident. In addition to that with a BCM-plan your

company or authority could be continuing working in case of a long disruption e.g.

power is down.

Specialized IT-companies or local or state requirements will lay down a perfect

Business-Continuity-Management-Plan for your office and authority.


✔ 9. Restriction administration privileges The administrator of an IT-infrastructure is the administrator. The end-user of an

IT-infrastructure is the end-user. Did you ever asked yourself why the end-user

has the same rights as the administration. It’s not a constitutional right – changed

that today!

Most of the hacker attacks occurred through an email-attachment that the end-

user opened. The sender of the email looks very official or comes from a know

email-address, it could be a application form attached or an pdf- or zip file.

Another examples in which a cyber hacker tries to access a computer or sensitive

information stored in it is by offering to “fix” the computer. In a blog by Andrew

Johnson, Division of Consumer and Business Education for the FCC, entitled

Official-sounding calls about an email hack, April 6, 2016, at

https://www.onguardonline.gov/blog/official-sounding-calls-about-email-hack, this

latest form of hacking takes place when a person gets a call from a person

identifying himself or herself as representing the Global Privacy Enforcement

Network, in which they claim that the person’s email account has been hacked

and is sending fraudulent messages.

In both examples happened the same: a malware is opened from the end-user

(by opening the attachment or by installing the offered “fix”-program) and the

malicious software will install by the end-user just because the end-user has the

user-right to install programs.

Our tip: Administrators and end-users must have different administration

privileges!


✔ 10. Network segmentation and segregation into

security zones

Implement network segmentation and apply firewalls, classifying and categorizing

IT assets, data, and personnel into specific groups and then restricting access to

those groups.

We will give you a simple example: If you cook at home you use different pots to

segregate the food because every food needs his own attention and preparation.

Do that the same way in your office or authority network. Some date a more

sensitive than other. Some data doesn’t match with other data. Some data are

just for special group of staff or the head of the organization or authority.

It’s like cooking: Different cooking zones and different pots are the guarantee for

the best result. For the best result for your data security use different security

zones and network segments.

Ask us for advise in both: Using different security zones and cooking!


✔ 11. input validation

Input validation, also referred to as data validation, is the outer defensive

perimeter for a web application, a perimeter that protects the core business logic,

processing and output generation. If you do not practice input validation, this can

lead to application attacks such as buffer overflow, SQL infection, and cross-site

scripting.

Data validation is the process of ensuring that a program operates on clean,

correct and accurate data.

✔ 12. file reputation

File reputation entails checking the reputation of each file against an extensive

database, typically an in-cloud database, through which users are allowed to rate

each other in online communities to build trust through reputation.


✔ 13. Understand and using firewalls

A firewall is what it’s sounds like: A wall prevents “fire” behind the wall. In our

case the “fire” are the hackers, cyber attacks, cyber thefts, foreign governments,

DDos-attacks (*). The firewall on your device or IT-infrastructure comes as a

software or hardware solution.

DDoS (Distributed Denial of Service) is a form of brute force attack in which the

attacker buys access to a botnet system that directs thousands or even millions

of computers to access the network, email system or website. Cyber security

vendors have used several approaches in an effort to prevent DDoS attacks on

municipal governments. Cyber security firms or the IT-department can build a

firewall that analyzes incoming traffic in real time and blocks incoming traffic

when certain characteristics trigger a response. Hosting and network vendors

offer cloud and hardware devices that range from $500/month for three million

packets per second to $2,500 per month for twelve million packets per second

that would protect most municipalities. Larger cities may need the services of

companies like Akamai, IBM, Microsoft, and Amazon that can run into the

hundreds of thousands or millions of dollars depending on the level of DDoS

protection needed. Cyber security firms or the IT-department can also build a

firewall to minimize the risk of a cyber attack.

Ask your IT-department officer or take a training tour like conferences to

understand how firewalls work. With every rule you implement yourself on the

firewall system (instead of a central implementation and control of the firewall

system) you open your device like a piece of Swiss cheese.


✔ 14. Penetration testing

Local government can implement security efforts in the form of security audits

and penetration tests. These measures call for paying ethical hackers to try to

breach the local government’s system and reporting their findings.

The government officials can use this information to take pre-emptive action.

Officials, from the highest to the lowest levels, must understand the long-term

cost of a data security breach, and they must understand, in context, the great

expense of a security audit or audits. They must count the cost not only in

monetary terms, but officials must also count it in terms of the loss of trust that

citizens and customers have in their governments. Further, officials must decide

whether an annual or biennial security audit is sufficient in the present and future

cyber landscape. Attention should be given to such emerging trends as hiring

24/7 managed professional security service providers. These professional can

operate from remote security operations centers with fully dedicated certified

security teams. The teams watch the local government’s network, inside and out,

and can identify real time security threats and help develop preventive counter

measures.

It is not cheap, but its cost in relative terms may make it a bargain.


-‐ EXTRA

It’s one of the most important point to know. We talked about that on IMLA-‐conference in Washington, DC in April 2017. Because it’s so important, we add that as an extra on your step-‐by-‐step-‐handout as No. 15.

✔ 15. Effective password management policies

The cat-and-mouse game that seems to be taking place constantly between the

perpetrators and victims of cyber security breaches, practices and measures is

daunting. It has spawned a number of practices that can be implemented by

municipalities to help protect their networks and systems. Some of these

practices have been implemented by the private sector and are listed in a 2015

report from Online Trust Alliance (OTA). According to OTA, if the affected

organizations and entities had implemented basic cyber security best practices,

they could have prevented 90% of recent breaches. See Security & Privacy Best

Practices (Jan. 21, 2015), https://otalliance.org/resources/security-privacy-best-

practices.

That’s why we highly recommend an effective password management policy,

including:

a. multi-factor authentication;

b. unique password for external vendor systems;

c. strong passwords comprised of an 8-character;

d. login abuse detection system monitoring connections, login counts,

cookies, and machine IDs;

e. Avoid storing passwords;

f. Remove or disable all default accounts from all devices and conduct

regular audits to ensure that inactive accounts can no longer access

your infrastructure; and

g. Remove access immediately for any terminated employees or any third

parties or vendors that no longer require access to your infrastructure.

Examples of bad passwords:

12345 your name your birthday

67890 qwerty asdfg

mom dad apple

Example of a good password:

Tyfya@ic10-2017iNF!

(Thank you for your attention @ IMLA conference 10-2017 in Niagara Falls!)

Cybersecurity Best Practices for Local Government – Best – Practice – Step-‐by-‐step

Feel free to contact us for advice, training or help:

Benjamin E. Griffith

Griffith Law Firm

IMLA International Committee

ABA Board of Governors

Sven Kohlmeier

Kohlmeier Law Firm

Attorney at Law specialized in IT law

Member of Berlin House of

Representatives

2086 Old Taylor Road, Suite 1023

Oxford, MS 38655

Phone: + 1 (662) 238-7727 www.glawms.com

Friedrichstrasse 61

10117 Berlin Germany

Phone: +49 (30) 2260 5000 www.kanzlei-kohlmeier.de

Documents

handout Cybersecurity ready · 2017. 10. 23. · Secure your data by making backups in the time your data are not stolen, lost, hacked or changed by a criminal. Or lets take a typical